I am new to ssl / networking and want to utilize mutal ssl ( client verifies server and server verifies peer) I found a white paper (http://www.infidigm.net/articles/qsslsocket_for_ssl_beginners/) online that gave me some guidance for setting up my certs and keys. Now this paper utilizes a local host ip address as the clients cert file. I want to switch this to a register domain name (scp.radiant.io). This FQDN is local to my ubuntu os for testing purposes
updated my localhost to have a domianname (scp.radiant.io). by modifying this file sudo nano /etc/hosts/ to say 127.0.0.1 scp.radiant.io localhost
Next I create certificate and private keys for both client and server
a. Steps for gen certs example for server below. same commands are run for client to create client certs
openssl req -out server_ca.pem -new -x509 -nodes -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=server/emailAddress=radiant.$EMAIL"
mv privkey.pem server_privatekey.pem
touch server_index.txt
echo "00" >> server_index.txt
openssl genrsa -out server_local.key 1024
openssl req -key ${NAME}_local.key -new -out server_local.req -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORG/OU=$ORG_UNIT/CN=scp.radiant.io/emailAddress=$EMAIL"
openssl x509 -req -in ${NAME}_local.req -CA ${NAME}_ca.pem -CAkey server_privatekey.pem -CAserial server_index.txt -out server_local.pem
b. this generates a CaCerts (server_ca.pem and client_ca.pem)
c. this generates a Local Cert files (server_local.pem and client_local.pem).. THIS IS WHERE I SET FQDN to scp.radiant.io
d. this generate a LocalKey (server_local.key and client_local.key)
I use the generated cert files for setting up the ssl configuration on the QSslSocket for both sides like so
//client socket setup
config.setPrivateKey("server_local.key");
config.setLocalCertificate("server_local.pem");
config.addCaCertificate("client_ca.pem");
config.setPeerVerifyMode("QSslSocket::VerifyPeer");
sslSocket->setSslConfiguration(config);
sslSocket->connectToHostEncrypted("scp.radiant.io",1200);
// server socket setup
config.setPrivateKey("client_local.key");
config.setLocalCertificate("client_local.pem");
config.addCaCertificate("server_ca.pem");
config.setPeerVerifyMode("QSslSocket::VerifyPeer");
sslSocket->setSslConfiguration(config);
sslSocket->startServerEncryption()
When running this code i get the following error in my ssl errors. "The host name did not match any of the valid hosts for this certificate
Now if I change the client socket to use this when connecting sslSocket->connectToHostEncrypted("scp.radiant.io",1200,"scp.radiant.io"); it will work.
I dont understand why I have to set the peerVerifyHost argument when connecting encrypted. I would like use the same certificates for my WebSockets implementation for this as well but the QWebSocket class does not allow you to set the peerverifyHost when connecting. So I must be doing something wrong at the cert level or the os level for my FQDN. any networking and ssl help would be helpful
I think you can ignore this error using "ignoreSslErrors" and let the handshake continue
I am trying to to do a POST to an API endpoint using Openedge.
I have installed the ssl certificate of the place i am requesting from but the https request fails, telling me it can't find the ssl certificate of that place (in my /usr/dlc/certs).
"_errors": [
{
"_errorMsg": "ERROR condition: Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for 85cf5865.0 in /usr/dlc/certs (9318) (7211)",
"_errorNum": 9318
}
]
So, i have resorted to doing an insecure request, like curl does it with the --insecure or wget does it with "no-check-certificate"
I am using the OpenEdge.Net Libraries on OpenEdge 11.6
creds = new Credentials('https://xxxx.com', 'usersname', 'password').
oPayload = NEW JsonObject().
oRequestBody = new String('CustomerReference=xxx&NoOfParcelsToAdd=2').
oRequest = RequestBuilder:Post('https://xxxxx.com/endpoint', oRequestBody)// Add credentials to the request
:UsingBasicAuthentication(creds)
:ContentType('application/x-www-form-urlencoded')
:AcceptJson() :Request.
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
I want to know, for this OpenEdge.Net Libraries is there a tag that i can put in order to skip the checking of the certificate?
I don't know of any option to skip verification but I do know that a common source of that error is that your certificate authority is not in $DLC/certs. The default list of certificate authorities is fairly narrow.
USING OpenEdge.Net.HTTP.IHttpClientLibrary.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
oLib = ClientLibraryBuilder:Build()
:sslVerifyHost(NO)
:Library.
oHttpClient = ClientBuilder:Build()
:UsingLibrary(oLib)
:Client.
I had try to get the following URL using requests, but am getting an SSL certificate Error. I had tried all earlier Stack overflow Queries but nothing seems working
Code:
resp = requests.get('https://www.magidglove.com/', verify=certifi.where())
I had given verify=False, still not works
Error:
raise MaxRetryError(_pool, url, error or ResponseError(cause))urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.magidglove.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
TL;DR - The server is misconfigured. Either fix the server, pass verify=ssl.CERT_NONE, or download and pass www.magidglove.com's certificate explicitly.
The problem here is on the server, not the client. The server is only configured to return it's own certificate, which isn't enough for the client to trust it. Servers generally need to be configured to return the full certificate chain.
In order to diagnose this, you can use openssl to view some raw information about the certificate chain returned:
$ openssl s_client -connect www.google.com:443 -showcerts -servername www.google.com
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
... snipped the rest of the output ...
You can see that 3 certificates were returned by the server, and they were verified in reverse order. The GlobalSign certificate is trusted by the certifi library, the cert at depth=1 was created by the cert at depth=2, and the last cert, CN=www.google.com, was created by the cert at depth=1.
Now let's compare that to the server you were trying to connect to:
$ openssl s_client -connect www.magidglove.com:443 -showcerts -servername www.magidglove.com
CONNECTED(00000003)
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Illinois, serialNumber = 00043176, C = US, ST = Illinois, L = Romeoville, O = "Magid Glove and Safety Manufacturing Company, L.L.C.", OU = web site, CN = www.magidglove.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Illinois, serialNumber = 00043176, C = US, ST = Illinois, L = Romeoville, O = "Magid Glove and Safety Manufacturing Company, L.L.C.", OU = web site, CN = www.magidglove.com
verify error:num=21:unable to verify the first certificate
verify return:1
You can see a few things from this output:
- The server only returned a single certificate
- The client tried to verify the certificate and couldn't
It requires some knowledge of ssl to know that the reason why it couldn't verify was that it doesn't trust the certificate, but now that we know that, we can see that having the server return the full certificate chain will fix that. I suspect that the reason why chrome and other browsers don't report an error is that the browser itself knows about DigiCert, so it doesn't require a full chain.
This problem can easily be solved by adding importing the ssl to your python code and adding verify=ssl.CERT_NONE so your code should look something like this:
import requests
import ssl
resp = requests.get('https://www.magidglove.com/', verify=ssl.CERT_NONE)
That being said when running this code you might come across this error:
/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
which you could disable by adding the following lines to your code:
import requests
import ssl
import urllib3
urllib3.disable_warnings()
resp = requests.get('https://www.magidglove.com/', verify=ssl.CERT_NONE)
Hope this helps!
I am writing amqp 1.0 client (using rabbitMQ.Client in .NET) for a broker who provided me the following information:
amqps://brokerRemoteHostName:5671
certificate_openssl.p12
password for certificate as a string "mypassword"
queue name
I developed the following code in Visual Studio which is supposed to work (based on long searches on the web):
var cf = new ConnectionFactory();
cf.Uri = new Uri("amqps://brokerRemoteHostName:5671");
cf.Ssl.Enabled = true;
cf.Ssl.ServerName = "brokerRemoteHostName";
cf.Ssl.CertPath = #"C:\Users\mahmoud\Documents\certificate_openssl.p12";
cf.Ssl.CertPassphrase = "myPassword";
var connection = cf.CreateConnection();
However, the output shows an exception:
RabbitMQ.Client.Exceptions.BrokerUnreachableException:
None of the specified endpoints were reachable ---> System.IO.IOException:
connection.start was never received
likely due to a network timeout) as seen in the image.
Where line 50 corresponds to the line where we create the connection.
I appreciate your kind assistance on the error above.
If you're connecting to a docker container, you need to add the 5672 port in addition to 15672 port when creating the container. For those using ssl, the port would be 5671 instead of 5672.
Example: docker run -d --hostname my-rabbit --name rabbitmq --net customnet -p customport:15672 -p 5672:5672 rabbitmq:3-management.
You would connect from client by calling this: ConnectionFactory factory = new ConnectionFactory() { HostName = "localhost" };.
Feel free to pass in username and password if those were changed.
Official RabbitMq docker image https://hub.docker.com/_/rabbitmq starts RabbitMq broker on port 5672, but .NET RabbitMq library expects to see broker on port 5673 which for sure differs from what we have in fact in docker. The solution is just to remap 5672 to expected 5673 port
docker run -d --hostname my-rabbit --name ds-rabbit -p 8080:15672 -p 5673:5672 rabbitmq:3-management
from requests import Session
from signalr import Connection
with Session() as session:
connection = Connection("https://localhost:443/Platform", session)
Signalhub = connection.register_hub('MessageRouteHubspot')
with connection:
Signalhub.server.invoke('subscribe','1_FPGA_ACCESS_COMMANDS')
When executing this I'm getting error requests.exceptions.
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
How to bypass/ignore SSL verification??
Python's signalr-client uses WebSocket package to establish the connection. WebSocket package is then using OpenSSL to do SSL/TLS. It appears that the WebSocket client requires client CA (Certificate Authority) bundle to be passed as the environment variable WEBSOCKET_CLIENT_CA_BUNDLE.
Exporting this variable with the CA bundle including the certificates signing the original site's certificate should do the trick. Below is an example on my Ubuntu based system.
$ export WEBSOCKET_CLIENT_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
$ python test-signalr.py